tcpproxy icon indicating copy to clipboard operation
tcpproxy copied to clipboard

Published 20 hours ago verified publisher icon inetaf

Better privacy by fragmenting SNI clientHello

Open heri16 opened this issue 6 years ago • 2 comments

Implement better privacy of tlsrouter by fragmenting SNI clientHello. This should prevent high-traffic DPI snooping.

Add feature to use regex capture groups for dynamic routing.

Both features used together can circumvent some forms of censorship by ISP.

Breakdown

  • [x] Add tcp fragmentation / segmentation of clientHello for better privacy (enabled by default)
  • [x] Expand regex capture groups for dynamic routing. See below.

Example config:

/(.+)\.oca\.nflxvideo\.net$/    $1.oca.nflxvideo.net:443
/(?P<subdomain>.+)\.oca\.nflxvideo\.net$/    ${subdomain}.oca.nflxvideo.net:443

heri16 avatar Apr 07 '19 05:04 heri16

The new regexp functionality would require tests.

What's with the unrelated DNS changes?

What is your threat model for "high-traffic DPI snooping"? The flag docs for the new hello-mss option don't say what value somebody would want, or how to disable it.

bradfitz avatar Apr 07 '19 05:04 bradfitz

I've made all these optional features disabled by default.

An explanation on how to use these features: https://gist.github.com/heri16/5e7a54190287103905622c23aaf884ca

heri16 avatar May 21 '20 14:05 heri16